This orientation session is designed to help attendees make Security & Risk Summit the most productive experience. It will provide you with tips on how to navigate your way through the CISO Circle Program and overall conference and give you a chance to meet your fellow CISOs. Topics will include a review of the agenda，interactive sessions，networking and much more with plenty of time for Q&A.
This session gives you an opportunity to engage with the presenters of this morning’s opening Keynote，ask questions that are top of your mind and network with your peers.
A one-page cybersecurity strategy has been the goal for CISOs forever and the effort always falls short. They are too technical and don’t resonate with the business people， or are so ’soft，’ technical staff doesn’t know what to do with it. Join this engaging discussion on how to craft a simple， easy to use one-page strategy to propel your program to success.
Organizations are experimenting with artificial intelligence in security. As evaluation procedures mature， the first disillusions happen. This discussion will review the state of AI and machine learning usage in various security and risk management areas，and give CISOs recommendations to:
1. Navigate towards AI marketing
2. Define evaluation principles for solutions adding new algorithmic approaches to existing security fields
3. Prepare to avoid or minimize the backlash when results are not up to expectations
The benefits of information/cybersecurity must be translated into business terminology. This presentation describes proven methods for linking the security to business value.
- What are proven strategies for obtaining business support?
- What is a practical model for communicating the value of a security program?
- What techniques can be used to for justifying security projects?
Metrics should inform better decision making. “Business alignment” is spoken about frequently, but execution is challenging throughout the Gartner client base. Key risk indicators (KRIs) should have defensible causal relationships to business impacts and present leading indicators to decision makers. Gartner has developed a methodology to integrate risk and corporate performance that helps achieve these goals.
The increased use of AI in security has not gone unnoticed by attackers. In this session，we explore the attacker’s perspective on machine learning (ML)，covering adversarial as well as nefarious ML:
● How attackers may attack security solutions based on ML at training and at prediction stages
● How ML may accelerate innovation in attacker techniques.
As more security vendors target your hybrid and cloud SaaS， IaaS and PaaS solutions， we are getting lost in too many acronyms. This workshop will help decipher the acronym soup and build a cloud security strategy including what your organization needs to protect your cloud infrastructure and applications. We will also discuss best practices on implementations and how to evaluate and build a shortlist for your vendor selections.
We can’t prevent all threats，but it doesn’t mean people working on security monitoring and operations can’t start detecting and responding. But how do you do it without breaking the bank? How should you start with detection and response? This workshop will go through a structured approach to find out: 1) What are the basic processes and tools to get right? 2) How do you succeed with a small team? Do you need a SOC? 3) How do you use third parties gracefully and effectively?
Email gateways are the most deployed control against phishing. However，prevention is far from perfect. In this session， we discuss the human role in both phishing detection as well as phishing response. Typical questions that may be asked in this session include: How can we best change user behavior? What are the best practices for security operations when dealing with phishing? Which emerging solutions can support with phishing detection and response?
Organizations increasingly adopt cloud native technology and microservices architecture patterns as they integrate or build applications. The end result is a sprawling landscape of web APIs that must be mediated and secured. In this workshop，we collaboratively work on constructing the core elements of an API management policy encompassing access control，application security and data security.
This session discusses a structured approach to plan， establish and efficiently operate a modern SOC. Organizations with successful SOCs put the premium on people rather than process and technology. People and process overshadow technology as predictors for SOC success or failure. Typical questions that may be asked include: Do I need a SOC and can I afford it? Where can I rely on automation and where do I need to outsource or delegate? Can SOAR tools really automate my SOC?
How do you start building a cloud security architecture? Do you use business needs and context to guide the selection of logical controls? What cloud provider native and third-party vendor security are available as security components? This session presents steps to construct cloud security architecture while aligning with required best practices, frameworks and standards.
Technical professionals are confronted with attacks that target web applications and APIs and they struggle to find the appropriate mix of security controls. This session examines:
- What are the common attack patterns?
- What technologies are useful in mitigating each type of attack?
- What adjustments must be made for cloud-native application development?
Learn how SABSA can help deliver a business-aligned security architecture for your organization. The workshop introduces SABSA’s methodology. In the workshop， work with other delegates to derive logical security requirements from business needs and map logical security to physical security mechanisms and components. Participants will take away next steps guidance for applying and learning more about SABSA.
This session will discuss the advanced security features included in the M365 E5 license suite. We will also discuss licensing then dive into advanced data protection， email protection， conditional access， Azure AD premium P2 and all of the other advanced features. Then we will compare and discuss use cases where third-party solutions can be integrated and if they are required.
The MITRE ATT&CK framework has quickly become a popular tool for many security operations practices. This session illustrates how it can be used to address some of the most common challenges of security operations centers. Key topics will include:
- How to create security monitoring use cases?
- How do you know if you are looking for the right things?
- What should be the starting list of use cases on your SIEM deployment?
Organizations have embraced agile development methodologies and DevOps practices， and technical professionals must find ways to integrate application security into this world. This session will examine:
- What are the ways to modernize secure design practices like threat modeling?
- How can you perform continuous security testing as part of CI/CD?
- How do you effectively leverage security controls external to code?
As traditional perimeters drop，the endpoint is becoming the last line of defense against breaches. This session will discuss the changing nature of the endpoint and endpoint workloads as well as defensive strategies. This session will explore:
The changing nature of the workload on endpoints from Win32 to cloud applications and the changing form factors from mobile
Attacker tradecraft from targeted nation-state tools to mass-propagated automated attack kits.
The changing endpoint defensive strategies from detection and response to proactive hardening.
There is growing interest in and vendor marketing of a "zero trust" approach to networking. Zero trust starts with an initial security posture of default deny. However, for business to happen, ultimately trust must be established and continuously assessed - a strategic approach embodied in Gartner's Continuous Adaptive Risk and Trust Assessment (CARTA). This presentation will explain the concept of zero trust networking, map it to Gartner's CARTA strategic approach and provide specific examples and recommendations for zero trust networking and other information security projects in 2019.
IAM encompasses workforce and customer identities and access to manage risk，reduce fraud and other losses and enable desired business outcomes. Digitalization forces IAM leaders to focus on time to value，employee engagement and customer satisfaction. This session will discuss:
What does a successful IAM program look like?
How can IAM quickly deliver real-business value and support cyber defense?
How will IAM technology investments evolve?
It would be easy to assume that investing in the latest EPP and EDR tools and deploying the latest operating system and patches is enough to protect against attack. However， high-profile incidents and regular reports of advanced persistent threats and state-sponsored hacking would indicate otherwise. This session examines: what are the techniques used by attackers that are still able to defeat the best protection and evade detection? How can you deploy other tools and techniques to still detect and respond to these events?
Siloed IoT/OT implementation and management distract from the real security and safety implications of the convergence of digital technologies and physical assets. To be effective, security and risk management leaders must instead holistically address the needs of cyberphysical systems. This session will discuss the opportunities and challenges related to securing cyberphysical systems.
As identity and access management activities align more with an organization’s digital objectives， security and risk management leaders responsible for IAM recognize the need to manage IAM as a program in its own right. Join this session to ask questions such as:
- How can I justify the IAM program?
- How should I establish program responsibilities?
- How can I establish program governance?
This session will highlight the latest trends in network-based advanced threat detection, including new techniques for anomaly detection. We will address challenges such as the growing percentage of encrypted traffic and its impact on threat detection. Attendees will learn about the key vendors in the market.
Web access， and our approach to securing it， is changing in the cloud era. Due to the rapid adoption of SaaS applications like Office 365， Salesforce and others， enterprises are rearchitecting their WANs to provide internet access directly from remote offices. This new approach is shifting web security to the cloud， with architectures based on proxies， DNS， or firewalls. Here， we analyze the options.
Application architectures drastically change， yet most organizations still protect their applications with traditional defenses. Applications become more dynamic， run on untrusted and unattended devices and the software logic is more and more distributed between various back-ends and the front-end. Serverless， mobile and single page applications are only a few examples. This trend is leading to new threats and new application level attacks that the industry has been recently experiencing. This session will provide a strategy for security and risk management leaders to shift their approach and avoid this trend from becoming a security failure. From application shielding to runtime application protection to browser protections， we will present the approaches， tools and vendors that will secure modern applications.
1. How are applications changing with digital business?
2. What strategies， tools and techniques can SRM leaders responsible for the security of applications and data put in place to protect against threats?
Modern security operations are evolving. They heavily rely on foundational technologies such as SIEM to accomplish their mission，and also adopt various analytics approaches. They struggle with more automation — of both thinking and acting — that promises to relieve humans from the routine tasks，but sometimes adding more work to the overworked security teams. This session will examine:
● What defines best-in-class security operations of 2019?
● What trends are affecting security operations?
● What will the future bring?
Service providers and end users may have very different definitions of what "response" means in the context of triage，investigation and action related to security alerts. In this session，we’ll explore the various types of "response" on offer from service providers，and discuss how and when those might fit into an organization’s security monitoring operations. Typical questions that may be asked include: What do vendors mean by "response"? What is the difference between "response" and "Response"? What makes sense for my organization?
The threat landscape is a moving target. Attack campaigns might hit multiple organizations, but each enterprise should analyze its own threat landscape. Security and risk management leaders should gain baseline knowledge on:
1. Future trends more than statistics about the past
2. Potential threats more than attack patterns
3. Response options more than defense technologies
MSS SLAs in their current format are not valuable，nor do they promote good service quality. Security and risk management leaders require a wider view of the indicators for measuring managed security services to ensure the correct level of integration and efficiency is provided to their organization by the service provider. During this session we will discuss:
● What are common SLAs in the market?
● Why traditional approaches to SLA measurement don’t work?
● Modern approaches to the problem.
Many vulnerability management programs fail to properly prioritize vulnerabilities for remediation，overloading the IT teams responsible for patching and testing systems. This session discusses what organizations must do to properly prioritize vulnerabilities identified by vulnerability assessments. Typical questions might include: How can I go beyond CVSS? How can I expand prioritization to incorporate asset and threat context?
Buyers are increasingly adding incident response services， but fewer are adding data breach response services. These are distinct offerings，but often confused as being the same service. In this session for security and risk management leaders， we explain the differences between the services，the questions to consider when determining if you need one or both，and the provider landscape for these services.
The penetration testing market is undergoing a transformation. Security and risk management leaders responsible for threat and vulnerability management need to understand the options available to them and how to select the best option. Questions to be addressed in this session include:
- What types of tests are available in the market?
- Should you hire a single firm or use crowdsourcing?
- What new approaches and technologies are poised to disrupt the pen testing market?
Machine learning (ML) has become a standard component in endpoint protection. This session explores the progress of ML in endpoint protection and provides real examples and demos of its qualities and limitations. Typical questions that may be asked include:
- What advantages does ML have over other techniques?
- How good is ML for endpoint protection?
- What does the future hold for ML in endpoint security?
SaaS SIEM can offer concrete benefits to organizations that lack resources to run SIEM products deployed on-premises. This session explores the potential benefits of SaaS SIEM， recognizes the challenges this type of delivery model may present and offers guidance to help potential buyers determine whether SaaS SIEM is an appropriate option for them. We address:
● Where does SaaS SIEM fit in the landscape of security monitoring products and services?
● What are the benefits and the challenges?
● How to determine whether SaaS SIEM may be a good option for your requirements?
It’s hard for organisations to identify the right type of detection service for their needs and use cases. Join this session to ask questions such as:
- What’s the main differences between and MDR and an MSSP?
- Why are they different?
- How do I know which to choose， what are the key indicators for making the right decision?
- Who are the core players in this market and what are their differentiators?
This session will break down the difference between techniques and technologies used to build a detection capability. It will also offer guidance on how to align them with your internal processes， while highlighting the most important things to get right. Attend this session and learn:
- How to look at your overall requirements and align methodologies to certain types of use cases.
- How to identify the key elements of your environment?
- Do you have the data?
- Where should you focus?
- Should you use an MSSP?
- What are the reasons that your business should take its newfound requirements and pass them to an MSSP?
- How do you understand what is most cost-effective?
Once you’ve made the decision to buy a SIEM tool， choosing the best one is a daunting task for many organizations. This presentation will discuss:
- What should you do to prepare for buying a SIEM solution?
- What is a modern SIEM and what does it do?
- What is the current SIEM vendor landscape?
Cloud security remains a top priority. This presentation summarizes the problems, recommended processes, and new product types to address three key issues:
What are the unique risks associated with public cloud service providers, and how can they be controlled?
What are the unique security challenges of IaaS and how can they be mitigated?
What are the unique control challenges of SaaS, and how can they be addressed?
Cloud-native applications rely heavily on containers and serverless functions to build out event-driven，microservices based application architectures. Legacy on-premises security patterns won’t work and won’t scale for the needs of cloud native applications. This presentation will discuss the security patterns and best practices for securing cloud-native applications， including container security..
In a world of cloud, does infrastructure security matter? As organizations move more services to the cloud, the problem shifts to managing user access, and data. Attend this session to learn about emerging trends on the convergence of cloud, identity and data security, as well as best practices regarding cloud security, that you can leverage now.
Many organisations have separated the management of data analytics，IT，security and even privacy. This session will give you a chance to ask questions such as: How can a data security governance framework provide business focus? What are the practical steps to develop the framework? How can the framework architect a successful data security strategy?
Consumers have unrelenting expectations for smooth and friction-free experiences when dealing with retailers and financial institutions. This is often at odds with the various anti-fraud mechanisms that security leaders have implemented. A new approach is required to reduce tension between CX and fraud management， and instead blend a spectrum of technologies to deliver the smooth customer experience that most customers want and deserve.
Data, data everywhere and not a drop should leak. Your enterprise data wants to travel as broadly as it can — not only within the enterprise but across a panoply of cloud services and an endless proliferation of endpoints. Who needs heroic levels of DLP? How can you monitor, track, and manage something seemingly impossible? What are the best product and service options available today?
Organizations must balance growing investment opportunities against growing financial risks for data. This session will explore:
● How Infonomics can be used to assess these financial risks caused by security， compliance or accidental events
● How to use the risk assessment to categorize and prioritize each data set for action
● How to develop financial investment strategies to manage the different data-risk categories and apply appropriate investment， management or security actions
Security and risk management leaders need to develop security strategies that treat data as a pervasive asset (and liability). New data privacy laws and the continued growth of data breaches are increasing business risks. Data security governance is an emerging risk-based framework that will help plan and orchestrate policies across data security products that are siloed and do not integrate.
Data encryption is frequently cited as a requirement to meet various data protection and privacy regulations. Join this session to ask questions such as:
- What do the regulations require?
- What does encryption or tokenization actually provide for data security?
- Do I need to apply any other data security controls?
As cloud becomes more significant， it becomes more formalized， driving more interest in written policies. The attendees in this workshop will discuss their cloud policy thoughts， hopes， and dreams — and will share practical experience in the form， content， dissemination and enforcement of cloud policy.
Blockchain is a technology that depends on widespread， public dissemination of information to generate trust and resilience. However， this is often seen as a problem for privacy， especially with regulations like GDPR which hold a high bar for consent and data privacy. Can blockchain meet these kinds of regulatory requirements? If so， how? What are the limits of blockchain in protecting user data?
Organizations have embraced agile development methodologies and DevOps practices， and technical professionals must find ways to integrate application security into this world. Typical questions that may be asked in this session include:
- What are the ways to modernize secure design practices like threat modeling?
- How can I perform continuous security testing as part of CI/CD?
- How do I effectively leverage security controls external to code?
Developers in agile and DevOps are told to "own their code，" which includes security. However， most developers have had minimal training or interest in it. How can developers make progress? How can development leads and CIOs change the culture around security? How can developer avoid long， ineffective classes on secure coding? Find out how to use coaches to overcome these and other problems.
Cloud computing represents a fundamental shift in the way IT projects are planned， built， delivered， maintained — and secured. Many existing practices and habits do not easily map to as-a-service models.
How does cloud security differ from on-premises security?
What are the most important new concepts and capabilities to understand and develop?
How can we not fall into debate traps over whether the cloud is secure?
Risk management continues to be an area of growing maturity and investment for most organizations, as the risk landscape becomes increasingly complex and interconnected. As a result, new technology solutions are emerging to increase the collaborative nature of risk management and support data-driven decision making. This session explores how integrated risk management (IRM) will help improve risk management practices in 2019 and beyond.
Security incidents are not just a possibility but an inevitability. It is important for organizations of all size to have a well-planned incident response (IR) strategy，as well as the ability to retain outside assistance，if needed. This session will cover the options that an incident response retainer provides，as well as characteristics of various IR providers.
There are many tools and methods for assessing vendor risks. These range from shore assessment surveys to onsite audits， attestations and certifications. This session will give you an opportunity to ask questions about the methods and practices that enterprises are taking to improve what is often the most problematic and inefficient process in vendor risk management.
Educating business managers on the value of organizational resilience is a challenge for many. Often，this challenge arises because business managers don’t understand or appreciate the value of availability and resilience risk information or their relationship to it，leading to no change in the level of resilience for the organization. This session will discuss how to craft risk-adjusted leading performance indicators that will measure the organization’s level of resilience.
While blockchain is very popular and organizations are increasingly looking for ways to leverage the technology，recent developments in cryptocurrency have shown that there are unacknowledged security risks. Typical questions that may be asked in this session include: What are the business，systematic and PKI risks to blockchain and how can they be mitigated? Are there any successful，large-scale implementations that can serve as models?
Vendor risk management isn’t just required in highly regulated industries， its good practice in all industries. But today’s approaches are mired in lengthy and complex assessment surveys that span a variety of threats and risks. This session will discuss how to improve and enhance your model for managing vendor risks. Why is vendor risk management important now? What are the current best practices in a vendor risk management life cycle? How can you improve the efficiency and value of your vendor risk management programs?
The presentation will explore experiences that have worked and/or failed to protect employee and their business data when traveling internationally. Topics will include loss, theft, surrender of login and password credentials, export controls, encryption and masking, VPNs and other secured communications, and variations in workplace rights and expectations. Attendees will receive copies of Gartner’s international travel advice and examples of travel rules and policies from real companies.
Digital business is forcing changes in the focus， direction and currency for organizations. It is even changing what leaders believe is the management of risk. This presentation describes those changes， their impacts and your options in evolving current risk process — or allowing its extinction in favor of something new.
The digital business must trust a growing set of external entities， including cloud services， professional services， suppliers and other intimately connected organizations. Typical questions that may be asked in this session include:
- Will they infect you with malware?
- Will they safely protect your information?
- How do other organizations scale themselves to assess the security risk represented by hundreds or thousands of external parties?
This workshop session will explore an incident response scenario that requires planning， response and recovery from a phishing attack. The initial phishing attack will be due to an accidental data disclosure that then enables the adversary to commit fraud， tarnish your brand， and includes elements of account takeover and business email compromise.
As privacy regulations evolve， security and risk management leaders with a focus on privacy are finding it harder to work with information， and almost impossible to combine multiple data sets， especially when working collaboratively with third parties. This session will address your questions， and look at the techniques and technologies that will allow you to develop a repeatable process to work with personal data. This session will answer your questions when it comes to handling the risk of mining large data sets of personal information for the purpose of analytics， fraud prevention or undirected discovery.
The launch of the European Networks and Information Systems Directive can have a significant impact on organizations. Security and risk management leaders should be aware of and prepare for the impact of this directive. This session will explore: the two categories of sectors designated by the EU，the types of organizations in scope for the directive and the measures imposed by the EU.
The GDPR has come to be the epicenter of a privacy renaissance. Security and risk management leaders responsible for privacy management will have the opportunity to follow through the repercussions within Europe but also what effects the regulation has had on the global privacy landscape. Attendees will walk away with a practical， strategic future-view of the regulatory requirements and ethical expectations when handling personal data at a global scale.
It is now common practice， and in certain cases mandated by regulation， for a board of directors to require periodic reporting and event-based updates on the state of security and risk management in an enterprise. Developing and communicating an effective message that balances the need to protect with the need to run your business is critical to success. However， in many cases， security and risk leaders are left frustrated and/or unable to answer elementary questions that the Board asks. This presentation will discuss:
1) What is the role of the board and what do they care about?
2) What are some of the most common questions that Board Members Ask? (and a talk track for these questions)
3) How can security and risk leaders flip the conversation to educate the Board on issues that they need to know about?
Enterprise risk management (ERM) programs provide a broad， horizontal view of strategic， financial and reputational risks across an organization. But they lack the ability to provide a vertically， integrated view of risk that spans business operations. Gartner recommends an integrated risk management (IRM) approach that links the strategic focus of ERM programs with the tactical steps necessary to secure the most relevant business assets. This session gives you a chance to ask question such as:
● How can IRM help to limit the amount of business disruption associated with major cyberattacks?
● What IRM technology solutions can enable better ERM?
● What is the future of IRM technology?
From social engineering to brand impersonation， social media threats can impact a company’s reputation and weaken its security posture if not well managed. This session will explore best practices and frameworks to keep your organization secure.
The business impact analysis (BIA) is the essential foundation for the development of cross-functional business continuity and disaster recovery plans. This session will cover how the BIA can provide vital information in the preparations for managing a cyberattack.
Join this session to see how organizations have streamlined their privacy management programs. Typical questions might include: Are you spending too much time doing manual repetitive work? Is responding to subject rights requests adding up? Are you confident in how you are handling consent after the Google fine?
The fraud threats facing B2C retail and financial services businesses have become so widespread that organisations are struggling to maintain a complete view on both the attack vectors and their responses to them. Infrastructure， IAM， UX， payment and brand teams are all involved — often in silos. Today’s security leaders need to show cross-functional leadership to create an organisationwide strategy for dealing with fraud in all its forms.
Digital transformation continues to challenge the conventions of information risk and security management. It requires a coherent digital security program based on a clear vision and strategy. This presentation will:
- Share a compelling vision for security and risk management.
- Identify the key ’digital differences’ that must be integrated into the security program.
"Top" trends highlight ongoing strategic shifts in the security ecosystem that aren’t yet widely recognized，but are expected to have broad industry impact and significant potential for disruption. This presentation will describe the most significant trends in cybersecurity and how leading organizations are taking advantage of these trends. Key issues explored will include:
Top technological improvements in the security product landscape
Trends in creating a top notch security organization
Strategic trends that will influence security strategy
After more than 10 years of understanding the need to put cybersecurity and technology risk in a business context, organizations still struggle. The foundation of a mature security function that can offer defined levels of protection at defined cost is a business-centric service catalog. Writing business-centric value statements for risk and security bridges the knowledge gap with executives.
Security and Risk Management Leaders should implement or improve upon these Top 10 security projects in 2019. Any security project must be supported by technology, address the changing needs of cybersecurity and reduce risk by adopting a CARTA strategic approach with all security projects.
Security and risk management leaders often find themselves in political discussions，which can be high stakes，and challenging to successfully navigate. This session helps you know when you are in a political conversation，and provides practical techniques for managing the potential conflict and reaching a successful outcome.
Security and Risk Management leaders are often faced with the continuous challenge of developing and (re)shaping their cybersecurity program strategy based on changing business needs and risk appetite. This presentation will define the basic elements of a security program，and describes the differences between each layer and ties them into an overall strategy planning process that will ensure a defensible security program that facilitates business needs.
Traditional security approaches won't work well with DevOps-style workflows, yet organizations are tasked with the security and compliance of the applications and services that are delivered from these rapid development processes. This presentation will outline specific best practices to integrate security into DevOps, delivering DevSecOps, without breaking the collaborative nature of DevOps.
Numerous studies indicate that there are notable gender differences in how we approach enterprise risk，from the entry level to the boardroom. This session will be a facilitated discussion focusing on how women can optimize their unique strengths in leadership and risk and manage the challenges that sometimes accompany gender dynamics. We will pay special attention to the organizational politics that can impact enterprise diversity and how to deal with them.
There is no such thing as a perfect, universally appropriate model for security organizations. Every enterprise must develop its own model, taking into consideration basic principles, practical realities and the challenges of digital transformation. This presentation will address the following key issues:
- What are the trends and challenges in security organization design?
- What are the factors that influence security organization?
- What are the current best practices and contemporary conceptual design models for security organization?
Cybersecurity is one of the most misunderstood words in our profession today. Just what does it mean， and why should you care is the topic of this "Ask the Expert" session. Join this session to ask the the Gartner Expert questions that clarify the definition of cybersecurity， its taxonomy and critical areas of coverage， and establish a common language with vendors and providers.
The biggest challenge for security and risk management leaders is how to， more effectively， communicate with a range of stakeholders. Stop using acronyms， jargon and technobabble and get more traction， align with business goals and be viewed as a strategic leader. This session will discuss:
- What are the benefits of better communication?
- What are the top causes of miscommunication?
- How can you be a more effective risk communicator?
Retailers and financial institutions typically add new technology to their payment fraud detection processes in the wake of a fraud attack, and fail to continually improve their capabilities on an ongoing basis. As a result, many organizations struggle with suboptimal processes. This workshop will help leaders to break out of this cycle by planning a considered payment fraud detection strategy.
How much risk is too much? Let’s manage to our risk appetite! Sounds easy， but most CISOs don’t know what their enterprise or cybersecurity risk appetite is. Join us on a trip to effective and efficient risk management. This session will explore:
- What is risk appetite and why you need to know yours?
- Best practices for having risk appetite discussions.
- What does a good cybersecurity risk appetite statement look like?
Left to itself，SaaS becomes an unruly pet. Data shares open to the Internet，regulatory noncompliance，overspend and collaboration sprawl negatively impacts everyone. This session examines: What are the problems with SaaS? What processes and policies can help manage SaaS use? What tools can help govern SaaS?
As complexity continues to grow and risks, threats and vulnerabilities multiply with no end in sight, how can security and risk management leaders move beyond reacting? Attendees will learn how to think differently about their role in value preservation and value creation, and how finding sweet spots in a human to machine continuum can help. This is the security and risk management leaders’ new imperative.
Security leaders are faced with the challenge of a competitive labor market and often miss opportunities to attract the right skill sets to digitally transform. However，reports show that despite growing women grads in STEM， women remain underrepresented in the cyber-security fields. This session focuses on answering questions about how traditional recruiting efforts might be sabotaging diversity in the workplace and placing the organization at risk.
Security and risk management leaders have struggled to hire and retain staff with the right skills， especially since the inception of digital business. Leaders have begun to accept the shortage of skills as a reality and continue to look for ways to manage this reality. In this presentation， we discuss the outlook for security talent in digital businesses and address the following questions: What can you do to ensure your team’s skill sets are developed for a digital world? What does the future of talent looks like with technologies such as Machine Learning ， blockchain， IoT looming? What are some of the emerging roles that leaders should plan for as organizations transform their digital businesses? How can organizations stay ahead of the curve and ensure that they are able to manage the risk of participating in a digital ecosystem?
Almost 50% of CIOs indicate that culture is the biggest barrier to digital business success. Culture is one of the five major imperatives of ContinuousNext， a strategy to converge IT with its organization. A risk-aware culture ensures that the protection of that convergence is a priority. This presentation introduces ContinousNext， risk-culture fundamentals， and actions to ensure risk-aware culture.
Fraud prevention leaders have mastered the art of detecting and preventing fraudulent account activity and payment events in many verticals and use cases. But as customers change the way they interact with each other and the relentless demand for friction-less customer experience increases，have the old ways failed to evolve? Typical questions that may be asked include:
How do you balance using rules vs machine learning?
Is it more effective to look for signs of good behaviour than bad behaviour?
How can you avoid treating all your customers like criminals?
Effective cybersecurity is predicated on a defensible program. This presentation introduces and discusses the characteristics of a defensible security program.
Key issues covered are:
- What are the components of a cybersecurity program?
- What makes the program defensible to key stakeholders?
Society treats security like a black box and security people like wizards. They expect you to cast some spells, protect the organization, and if there is an incident, the primary question is “who made a mistake?” To address this, we can double down on teaching people the complexities and technology of security or we can change the conversation. In this session we will debate the necessity of changing the public's perception of cyber security and the value of doing so to improve government and executive engagement.
Great engagement between stakeholders is an essential component to the success of any risk and security program. Treat the experience of how risk and security is delivered as a fundamental component of what is delivered. The same techniques used to excel in customer experience can also be used to improve the delivery of appropriate technology risk and cybersecurity.
Security and risk management leaders are challenged to continuously adapt their organizations to meet the needs of rapid changes in digital business. This presentation introduces the Gartner Operating Model for the Information Security Function to address this challenge. This operating model represents how it orchestrates its capabilities to deliver against its operational and strategic objectives.
Trusted digital identity is critical for enabling digital trust. To take advantage of digital business opportunities， IAM leaders must leverage various trusted digital identity models， including BYOI， to satisfy consumer needs， enabling simple， convenient and secure access. Audience members will learn why noninteroperable digital identities will not scale with the needs of digital business.
CISOs are continually asked for quantitive valuations for cybersecurity risk. When they come to the table with numbers， which are based on models， estimates and guesses， to nobodies’ surprise， business leaders don’t believe it. Join this session to ask questions such as:
- Does quantitative risk assessment work?
- What are the best practices for using quantitative assessment?
- How can qualitative risk assessment be leveraged effectively?
- Are there vendors that can help?